Depricated MDI ATP Portal - Scheduled reports

Brass Contributor

Hello, I see that the Classic ATP ( will be redirecting to the Security portal.  However I'm curious about the Scheduled reports we have set up for Lateral movements and Summary.  I don't see a direct correlation in the Security portal for those style of reports.  What is the recommendation to schedule reports in the Security portal or at least setup within the Security portal to view?


Thank you,


8 Replies

A lateral movement path report is covered by the ISPM assessments. You can find more details here:
Regarding Summary report, the health issues are available in M365D Settings > Identities > Health issues, and a summary of alerts can be found by exporting the alerts queue or using Advanced Hunting (30 days of data).
As of now, the portal does not support Schedules reports. I'll be happy if you can contact me directly by mail ( so I can further understand your needs.

There seems to be a few threads on a similar subject (new portal transition and losing "features"), so was not sure where to post in reply. @LiorShapira you seem happy to want the feedback...


The only scheduled report we use DAILY is the Modifications to sensitive groups, and if you think logically about that, it is a rational report that is useful on a schedule. MDI has seemingly good logic in what these are, and being informed by push notification is exceedingly important (be even better if we didn't get emailed when there are ZERO entries in there, but hey!) does not want to have to run an adhoc query to do that - it is a backward step. Currently, I think the suggestion as  a "workaround" is to run the Advanced Hunting query and define the groups your are interested in - that is not workable at all.  This alone would stop us moving to the new portal, as pathetic as that seems.  FWIW, I actually like the new portal...just struggling to find things. I know there is a mapping table to show where things are...but it doesn't say what is missing or being thought about  !

@StuartH . Thanks for your feedback, I appreciate it.  We will take it into account and will make sure to update the documentation. 

Can I ask we have reverted to the "old" portal, the (mod to sensitive groups etc) reports are emailed, and still valid/accessed just fine. The moment we flip to the new portal, the link obviously fails. The new portal REMOVES the ability to schedule and also, even if it existed before, access to the data is removed too...even though the reports are still emailed ! This seems all wrong

@LiorShapira, we utilized the weekly scheduled reports too and they stopped working when the MDI portal redirection was enabled.  


Are there plans to migrate this functionality to or another portal?  If not, I recommend adding some information to the emailed reports sharing the reports will be deprecated and steps to disable them.  BTW, with the portal redirection is enabled, there is no way to disable the reports.  If June 30th comes and the portal redirection is forced, there will be no way for people to disable the email reports and people will start putting in tickets if they are using the reports.

@SergioT1228 You're correct that Azure Advanced Threat Protection (ATP) is now integrated into the Microsoft Defender for Identity within the Microsoft 365 Defender portal ( While the transition brings many new features and an improved user experience, there might be some differences in the available reports.
To view the reports related to lateral movement and summary in the Microsoft 365 Defender portal, follow these steps:
1- Go to the Microsoft 365 Defender portal ( and sign in with your credentials.
2- In the left navigation pane, click on Incidents & alerts.
3- You can apply filters to focus on specific alerts related to lateral movement paths, such as Suspicious lateral movement using remote execution, Pass-the-Ticket, or Pass-the-Hash.

You can also investigate specific entities (users, devices, etc.) and view the relevant information about them.

Unfortunately, as of now, there isn't a direct way to schedule reports like the ones you had in Azure ATP within the Microsoft 365 Defender portal. However, you can leverage the Microsoft Graph Security API to create custom reports and schedule them as needed.

To use the Microsoft Graph Security API:
1- Register an application in Azure AD and grant the necessary permissions.
2- Use the API to fetch alerts and related information from the Microsoft 365 Defender portal.
3- Create custom reports using the fetched data and schedule them to be sent via email or any other preferred method.

@josequintino I am a little stunned that Microsoft are just yanking [very used] features away, and think that is acceptable. I see the portal notice (saying Jan 31) is now replaced with July 31 - surely that is time enough to get a satisfactory solution in place ?  Atleast expand on this and come up with something workable for all of your customers, and not making us do the work:


"To use the Microsoft Graph Security API:
1- Register an application in Azure AD and grant the necessary permissions.
2- Use the API to fetch alerts and related information from the Microsoft 365 Defender portal.
3- Create custom reports using the fetched data and schedule them to be sent via email or any other preferred method."


It just seems like you are dropping a lot of the good features that we purchased Azure ATP (MDI) for

Hello @StuartH I understand your concerns regarding Microsoft's decision to remove certain features from Azure ATP (MDI). While I am not a Microsoft representative, I can attempt to provide some context and potential suggestions for addressing these changes.

Firstly, it's important to acknowledge that technology companies like Microsoft often make decisions to remove, modify, or replace features based on factors like market demand, product strategy, or shifting priorities. While these decisions can be frustrating for customers, they are usually made with the goal of improving the overall product experience.

Regarding the Microsoft Graph Security API, the three steps you mentioned can help you continue accessing the features you need:

1- Registering an application in Azure AD and granting permissions: This is a one-time setup process that enables your application to interact with the Microsoft Graph Security API. You can follow Microsoft's official documentation to guide you through this process.
2- Fetching alerts and related information: With your application registered and permissions granted, you can use the API to fetch alerts and related data from the Microsoft 365 Defender portal. This will allow you to continue monitoring your environment and taking necessary actions to ensure security.
3- Creating custom reports: You can use the fetched data to create custom reports tailored to your organization's needs. This way, you can maintain visibility and control over the aspects that are most important to you.

While these steps do require some additional work from your end, they provide a way to adapt to the changes introduced by Microsoft. Additionally, consider reaching out to Microsoft Support for further assistance and providing feedback on your concerns. This can help Microsoft understand the needs of their customers and potentially make changes based on this feedback.

In the meantime, you might explore alternative solutions or third-party tools that could help you achieve your desired functionality with Azure ATP (MDI).